b'             EVALUATION REPORT\n\n           Information Security Risk Evaluation of\n     NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n             OIG 13-A-11                January 30, 2013\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c               Information Security Risk Evaluation of\n          NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n\n\n                               Contract Number: GS-00F-0001N\n                               NRC Order Number: D12PD01191\n\n                                                    January 22, 2013\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c                                UNITED STATES\n                        NUCLEAR REGULATORY COMMISSION\n                                WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                         January 30, 2013\n\n\n\n\nMEMORANDUM TO:            R. William Borchardt\n                          Executive Director for Operations\n\n\n\nFROM:                     Stephen D. Dingbaum /RA/\n                          Assistant Inspector General for Audits\n\n\nSUBJECT:                  INFORMATION SECURITY RISK EVALUATION OF NRC\xe2\x80\x99s\n                          TECHNICAL TRAINING CENTER \xe2\x80\x93 CHATTANOOGA, TN\n                          (OIG-13-A-11)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) evaluation report titled\nInformation Security Risk Evaluation of NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93Chattanooga,\nTN.\n\nThe report presents the results of the subject evaluation. The agency agreed with the\nevaluation findings at the December 7, 2012, exit conference and did not provide any\nchanges to the draft report.\n\nPlease provide information on actions taken or planned on the recommendation within\n30 days of the date of this memorandum. Actions taken or planned are subject to OIG\nfollowup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Team,\nat 415-5911.\n\nAttachment: As stated\n\x0c[Page intentionally left blank]\n\x0c                                                                 Information Security Risk Evaluation of\n                                                      NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      The U.S. Nuclear Regulatory Commission (NRC) Office of the Inspector General tasked\n      Richard S. Carson & Associates, Inc., to perform an information security risk evaluation\n      of NRC\xe2\x80\x99s regional offices and the Technical Training Center (TTC). This report presents\n      the results of the information security risk evaluation for the TTC, which is located in\n      Chattanooga, Tennessee.\n\nOBJECTIVES\n\n      The TTC information security risk evaluation objectives were to:\n\n             Perform an independent information security risk evaluation of the NRC\n             information technology (IT) security program, policies, and practices for\n             compliance with the Federal Information Security Management Act (FISMA) of\n             2002 in accordance with Office of Management and Budget guidance and Federal\n             regulations and guidelines as implemented at the TTC.\n             Evaluate the effectiveness of agency security control techniques as implemented\n             at the TTC.\n\nRESULTS IN BRIEF\n\n      The TTC has made improvements in its implementation of NRC\xe2\x80\x99s IT security program\n      and practices for NRC IT systems since the previous evaluations in 2003, 2006, and\n      2009. All corrective actions from the previous evaluations have been implemented.\n      However, TTC IT security program and practices are not always consistent with NRC\xe2\x80\x99s\n      IT security program, as summarized below.\n\n      IT Security Program\n\n      Some NRC-owned laptops do not have a current authority to operate. As a result, the\n      TTC is not fully compliant with NRC requirements for laptop systems.\n\nRECOMMENDATIONS\n\n      This report makes a recommendation to the Executive Director for Operations to improve\n      NRC\xe2\x80\x99s IT security program and implementation of FISMA at the TTC.\n\nAGENCY COMMENTS\n\n      At an exit conference on December 7, 2012, agency officials agreed with the findings and\n      did not provide any changes to the draft report. The agency opted not to submit formal\n      comments.\n\n\n                                              i\n\x0c                                  Information Security Risk Evaluation of\n                       NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n               ii\n\x0c                                                        Information Security Risk Evaluation of\n                                             NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nFISMA        Federal Information Security Management Act\nISSO         Information Systems Security Officer\nIT           Information Technology\nMD           Management Directive\nNIST         National Institute of Standards and Technology\nNRC          Nuclear Regulatory Commission\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nSGI          Safeguards Information\nTTC          Technical Training Center\n\n\n\n\n                                     iii\n\x0c                                  Information Security Risk Evaluation of\n                       NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                     Information Security Risk Evaluation of\n                                                                          NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ..................................................................................... iii\n\n1 Background .............................................................................................................. 1\n2 Objectives ................................................................................................................. 2\n3 Findings .................................................................................................................... 2\n  3.1 Information Technology Security Program ................................................... 2\n            3.1.1 TTC Laptop Systems ...................................................................................... 3\n            FINDING #1: Some Laptops Do Not Have a Current Authority To Operate ............................. 3\n            3.1.2 Laptop System Requirements ....................................................................... 3\n            3.1.3 Agency Has Not Fully Met Requirements ..................................................... 4\n4 Agency Comments .................................................................................................. 5\n\nAppendix.               OBJECTIVES, SCOPE, AND METHODOLOGY ........................................... 7\n\n\n\n\n                                                               v\n\x0c                                  Information Security Risk Evaluation of\n                       NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                              Information Security Risk Evaluation of\n                                                                   NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n1       Background\n\nThe U.S. Nuclear Regulatory Commission (NRC) Technical Training Center (TTC) provides\ntraining for the staff in various technical disciplines associated with the regulation of nuclear\nmaterials and facilities and is located in Chattanooga, Tennessee. The TTC is part of the Office\nof the Chief Human Capital Officer and operates under the direction of the Associate Director\nfor Human Resources Training and Development.\n\nOffice of Management and Budget (OMB) Circular A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources, requires\nagencies to implement and maintain an information technology (IT) security program, including\nthe preparation of policies, standards, and procedures. An effective IT security program is an\nimportant managerial responsibility. Management establishes a positive climate by making\ncomputer security a part of the information resources management process and providing support\nfor a viable IT security program.\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002.1 FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program2 and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. The evaluation also must include an assessment of compliance with FISMA\nrequirements and related information security policies, procedures, standards, and guidelines.\nFISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) or an independent external auditor.3\n\nNRC maintains an IT security program to provide appropriate protection of information\nresources. In this regard, the role of the NRC OIG is to provide oversight of agency programs,\nincluding the IT security program in support of the NRC goal to ensure the safe use of\nradioactive materials for beneficial civilian purposes while protecting people and the\nenvironment.\n\nIn support of its FISMA obligations, the NRC OIG tasked Richard S. Carson & Associates, Inc.,\nto perform an information security risk evaluation of NRC\xe2\x80\x99s regional offices and the TTC to\nevaluate IT security programs in place at those locations, to include an assessment of potential\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  NRC uses the term \xe2\x80\x9cinformation security program\xe2\x80\x9d to describe its program for ensuring that various types of\n  sensitive information are handled appropriately and are protected from unauthorized disclosure in accordance with\n  pertinent laws, Executive orders, management directives, and applicable directives of other Federal agencies and\n  organizations. For the purposes of FISMA, the agency uses the term IT security program.\n3\n  While FISMA uses the language \xe2\x80\x9cindependent external auditor,\xe2\x80\x9d OMB Memorandum M-04-25, FY 2004\n  Reporting Instructions for the Federal Information Security Management Act, clarified this requirement by stating,\n  \xe2\x80\x9cWithin the context of FISMA, an audit is not contemplated. By requiring an evaluation but not an audit, FISMA\n  intended to provide Inspectors General some flexibility\xe2\x80\xa6.\xe2\x80\x9d\n\n\n                                                         1\n\x0c                                                                    Information Security Risk Evaluation of\n                                                         NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nphysical security weaknesses, and to identify existing problems and make recommendations for\ncorrective actions.\n\nThe information security risk evaluation focused on the following elements of NRC\xe2\x80\x99s IT security\nprogram, policies, and practices:\n\n       Physical and Environmental Security Controls.\n       Logical Access Controls.\n       Configuration Management.\n       Continuity of Operations and Recovery.\n       IT Security Program.\n\nThis report presents the results of the information security risk evaluation for the TTC.\n\n2      Objectives\n\nThe TTC information security risk evaluation objectives were to:\n\n       Perform an independent information security risk evaluation of the NRC IT security\n       program, policies, and practices for compliance with FISMA in accordance with OMB\n       guidance and Federal regulations and guidelines as implemented at the TTC.\n       Evaluate the effectiveness of agency security control techniques as implemented at the\n       TTC.\n\nThe report appendix contains a description of the evaluation objectives, scope, and methodology.\n\n3      Findings\n\nThe TTC has made improvements in its implementation of NRC\xe2\x80\x99s IT security program and\npractices for NRC IT systems since the previous evaluations in 2003, 2006, and 2009. All\ncorrective actions from the previous evaluations have been implemented. However, TTC IT\nsecurity program and practices are not always consistent with NRC\xe2\x80\x99s IT security program as\ndefined in Management Directive (MD) and Handbook 12.5, NRC Automated Information\nSystems Security Program; other NRC policies; FISMA; and National Institute of Standards and\nTechnology (NIST) guidance. While many TTC automated and manual IT security controls are\ngenerally effective, some IT security controls need improvement. Specifics on the TTC IT\nsecurity program are described in the following section.\n\n3.1    Information Technology Security Program\n\nOverall, the TTC is following agency security policies and procedures regarding IT security.\nThe TTC has developed operating procedures that are generally up-to-date and are available on\nthe Human Resources Training and Development internal Web site. Staff receive training\nregarding IT security during new employee orientation, take annual security awareness training,\nand the Information Systems Security Officer (ISSO) sends periodic e-mails related to IT\n\n\n                                                 2\n\x0c                                                                     Information Security Risk Evaluation of\n                                                          NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nsecurity. Users are generally aware of and are following agency and TTC IT security policies\nand procedures.\n\nHowever, the evaluation team found issues with the TTC laptop systems.\n\n3.1.1 TTC Laptop Systems\n\nLaptops in use at the TTC are either seat-managed laptops or NRC-owned laptops. Seat-\nmanaged laptops in use at the TTC include one laptop that is part of the agency\xe2\x80\x99s new work from\nanywhere/mobile desktop program. NRC-owned laptops in use at the TTC include a pool of\nlaptops used for various purposes and one laptop used to process safeguards information (SGI).\n\nFINDING #1: Some Laptops Do Not Have a Current Authority To Operate\n\nThe NRC Laptop Security Policy, which specifies the requirements for authorization of laptop\nsystems, states that all NRC laptops must be either designated a system or included as part of an\nexisting system. NRC-owned laptops in use at the TTC include a pool of laptops used for\nvarious purposes and one laptop used to process SGI. However, the evaluation team found that\nsome NRC-owned laptops do not have a current authority to operate. As a result, the TTC is not\nfully compliant with NRC requirements for laptop systems.\n\n3.1.2 Laptop System Requirements\n\nThe NRC Laptop Security Policy states that all NRC laptops must either be designated a system\nor be included as part of an existing system. All laptops that are not seat-managed are\nconsidered to be organization-managed, i.e., NRC-owned. All NRC-owned laptops that process\nor access classified national security information belong to that office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified\nLaptop System.\xe2\x80\x9d All NRC-owned laptops that process or access SGI and are not part of the\noffice\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d belong to that entity\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System.\xe2\x80\x9d\nAll NRC-owned laptops that are not part of the office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d\nor the office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System\xe2\x80\x9d belong to that entity\xe2\x80\x99s \xe2\x80\x9cGeneral Laptop\nSystem.\xe2\x80\x9d\n\nThe NRC Laptop Security Policy also specifies the following requirements for authorization\n(formerly referred to as accreditation):\n\n       Laptop systems must meet the requirements provided in the relevant standard security\n       plan. There is a different standard security plan for classified, SGI, and general laptops.\n       Laptop systems must be certified by the system owner as compliant with the relevant\n       laptop system requirements.\n       Laptop systems must be accredited by the appropriate Designated Approving Authority\n       prior to processing any relevant (i.e., classified, SGI, sensitive unclassified) information\n       on the system.\n       Certification of a laptop system requires a system certification memorandum from the\n       laptop system owner. The memorandum must include an enclosure that provides the\n\n\n\n                                                 3\n\x0c                                                                   Information Security Risk Evaluation of\n                                                        NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n       names and contact information for the: System Owner, Certification Agent, ISSO,\n       Alternate ISSO, and System Administrator.\n       For each laptop or removable hard drive that is part of the laptop system, the enclosure\n       must provide information such as physical storage location, location where system is\n       used, brand, model, tag number, peripherals, etc.\n\n3.1.3 Agency Has Not Fully Met Requirements\n\nThe TTC has not established a general laptop system to cover their pool of laptops; however, the\nTTC laptop pool is in the process of being authorized to operate. A system description has been\nwritten for the TTC general laptop system and the laptops have been evaluated using security\ncriteria provided by the Computer Security Office. The TTC plans to submit a request for\nauthority to operate the general laptop system in the next few months.\n\nIn addition, the TTC has one laptop used to process SGI, for which the TTC developed a\nphysical security plan for the protection of safeguards information, dated January 2009.\nHowever, the TTC has not established a TTC SGI laptop system to cover this laptop, and the\nphysical security plan does not meet the requirements for a system description of an SGI laptop\nsystem. For example, the document does not list those responsible for the SGI laptop, such as\nthe system owner, ISSO, and system administrator, and does not include the required laptop\nspecifics such as encryption, hardware, installed software, and any deviations from the standard\nSGI laptop security plan. In addition, the SGI laptop has not been officially authorized to\noperate.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Establish an SGI laptop system and complete the process described in the NRC Laptop\n      Security Policy for authorization of the SGI laptop system.\n\n\n\n\n                                                4\n\x0c                                                                  Information Security Risk Evaluation of\n                                                       NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n4      Agency Comments\n\nAt an exit conference on December 7, 2012, agency officials agreed with the findings and did not\nprovide any changes to the draft report. The agency opted not to submit formal comments.\n\n\n\n\n                                               5\n\x0c                                  Information Security Risk Evaluation of\n                       NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n               6\n\x0c                                                                   Information Security Risk Evaluation of\n                                                        NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nAppendix.          OBJECTIVES, SCOPE, AND METHODOLOGY\n\nOBJECTIVES\n\nThe TTC information security risk evaluation objectives were to:\n\n        Perform an independent information security risk evaluation of the NRC IT security\n        program, policies, and practices for compliance with FISMA in accordance with OMB\n        guidance and Federal regulations and guidelines as implemented at the TTC.\n        Evaluate the effectiveness of agency security control techniques as implemented at the\n        TTC.\n\nSCOPE\n\nThe scope of this information security risk evaluation included:\n\n        The four floors the TTC occupies at 5746 Marlin Road, Chattanooga, Tennessee 37411-\n        5677.\n        TTC seat-managed equipment.\n        TTC NRC-managed equipment.\n\nThe information security risk evaluation did not include controls related to the management of\nsafeguards or classified information.\n\nThe evaluation work was conducted during a site visit to the TTC in Chattanooga, TN, between\nDecember 3, 2012, and December 7, 2012. Any information received from the agency\nsubsequent to the completion of fieldwork was incorporated when possible. Throughout the\nevaluation, evaluators were aware of the potential for fraud, waste, or misuse in the program.\n\nMETHODOLOGY\n\nRichard S. Carson & Associates, Inc., conducted a high-level, qualitative evaluation of the NRC\nIT security program, policies, and practices as implemented at the TTC, and evaluated the\neffectiveness of agency security control techniques as implemented at the TTC.\n\nIn conducting the information security risk evaluation, the following areas were reviewed:\nphysical and environmental security controls, logical access controls, configuration management,\ncontinuity of operations and recovery, and IT security program. Specifically, the evaluation\nteam conducted site surveys of the four floors the TTC occupies at 5746 Marlin Road,\nChattanooga, Tennessee 37411-5677, focusing on the areas that house IT equipment. The team\nconducted interviews with the TTC alternate ISSO, the seat-management server administrator,\nthe TTC server administrator, and other TTC staff members responsible for implementing the\nagency\xe2\x80\x99s IT security program at the TTC. The evaluation team also conducted user interviews\nwith 12 TTC employees. The team reviewed documentation provided by the TTC including\nfloor plans, inventories of hardware and software, local policies and procedures, security plans,\n\n\n\n                                                7\n\x0c                                                                 Information Security Risk Evaluation of\n                                                      NRC\xe2\x80\x99s Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nbackup procedures, contingency plans, and the Occupancy Emergency Plan. The information\nsecurity risk evaluation also included a network vulnerability assessment scan of the TTC\nnetwork. The scan did not include the network that supports the simulators.\n\nAll analyses were performed in accordance with guidance from the following:\n\n       NIST standards and guidelines.\n       NRC MD and Handbook 12.5, NRC Automated Information Security Program.\n       NRC Computer Security Office policies, processes, procedures, standards, and\n       guidelines.\n       NRC OIG audit guidance.\n\nThe work was conducted by Jane M. Laroussi, CISSP, CAP, GIAC ISO-17799, and Virgil Isola,\nCISSP, from Richard S. Carson & Associates, Inc.\n\n\n\n\n                                              8\n\x0c'